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WHAT IT IS, WHAT IT IS NOT 


© capability of giving SQL commands to a database 
engine exploiting a pre-existing application 
© not exclusive to Web applications, but widespread 
vulnerability in Web sites 
e vulnerabilities exist in 60% of Web sites they have tested 
(from: OWASP, Open Web Application Security Project) 
o not due to inadequate development of Web 
applications, nor a fault of the Web / RDBMS server 
e developers not yet sufficiently aware 
e low-quality info in the Web on how to prevent the problem 
e detailed info in the Web on how to exploit vulnerabilities 
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WHAT APPLICATIONS ARE VULNERABLE? 


© 1n practice, all databases based on SQL 


e MS SQL Server, Oracle, MySQL, Postgres, DB 2, 
Informix etc. 


o databases accessed thru applications based on 
most of modern (and non-modern) technologies 


e Perl, CGI, ASP, PHP, XML, Javascript, VB, C, Java, 
Cobol etc. 
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HOW IT WORKS 


© client injects SQL code into the input data of an 
application 
e typical scenario: application dynamically creates SQL 
query using altered data (obtained from outside), 
without good validation of such data 


o target of the attack: server of an application 


© goal: allow the client to access the database used 
by the attacked server 
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EXAMPLE 


o if the following query returns data... 
SELECT * FROM users 


WHERE login = ‘damore' 
AND password = ‘'qwerty' 
o example of login syntax ASP/MS SQL Server 
var sql = "SELECT * FROM users WHERE login = '" + 
formusr + "' AND password = '" + formpwd + "'"; 
olf 
e formusr =' or 1=1 -- 


e formpwd arbitrary 
© query becomes into SELECT * FROM users 


WHERE login = ‘' or 1=1 
-- AND password = 
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SQL INJECTION ATTACK 


o attacker can access database 1n read/write/admin 
e depends on the vulnerability of the specific DBMS 


o impact of the attack 1s potentially HIGH 
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POSSIBLE HTML FORM 


© from Wikipedia ( 
http://it.wikipedia.org/wiki/SQL_injection) 


<form action="login.php' method='post'> 
Username: <input type="text" name='"user' /> 
Password: <input type='password' name='pwd' /> 
<input type="submit’ value='Login' /> 

</form> 
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POSSIBLE LOGIN.PHP FILE 


<? 


°> 


php 

//Prepares query, 1na variable 

$query = "SELECT * FROM users WHERE user='".$_POST 
['user']."' AND pwd='".$ POST[L'pwd']."'"; 


//Execute query Csuppose a valid connection to 
database 1S already open and its state is stored 
in $db) 


$sql = mysql_query($query, $db) ; 

//Count number of lines that have been found 

if(mysql_affected_rows($sql)>0) { 
//authenticated! 
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CONSEQUENCES 


o if script does not make input analysis and 
validation, user can send 

user = blah 

pwd = ' OR user=‘blah' 

oO we get the query 

SELECT * FROM users 

WHERE user=‘blah' AND pwd='' OR user=‘blah' 


o if at least one tuple does exist, attacker obtains 


authenticated access 
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OTHER (WORSE) CONSEQUENCES 


o symbol ';' is exploited, it allows to concatenate 
commands 
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pwd = ' OR user=‘blah'; DROP TABLE users; 
oO or 
pwd = ' OR user=‘blash'; INSERT INTO users 


(...) VALUES (...); 


LINKS 


© examples 


e http://www.owasp.org/index.php/SQL Injection 

e http://www.unixwiz.net/techtips/sql-injection. html 
o Sqlninja: example of tool for supporting attacks 

http://sqlninja.sourceforge.net/ 


e it tries to use SQL injection on applications based on 


MS SQL Server 
e its goal is to obtain an interactive shell on the remote 
DB server 


o WebScarab: example of tool for prevention 


http://www.owasp.org/index.php/ 
Category: 0.WASP. WebScarab_ Project 


e powerful, good prevention, even against other types of 
attack 
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PREVENTING SQL INJECTION 


0 input validation 
e chent side 


e to be considered within the wider subject of software 
correctness and robustness 


© parameterized queries 
e based on predefined query strings 


0 use of stored procedures 


e subroutines that are defined at server side, available 
to applications accessing the RDBMS 


e can validate input at server side 


6002 J8quis098q 


eJowy,p ‘| Aq ‘uonoelu] OS 


INPUT VALIDATION AT CLIENT SIDE 


oO use scripts, e.g., Javascript 


o can be made weaker by the security settings of the 
browser 


© 1n some cases, can be bypassed thru suitable 
change of the HTML source code 
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PARAMETERIZED QUERIES 
o avoid the traditional dynamic query string, where 


pre-defined substrings have to be replaced by user 
defined text 


o based on pre-defined query strings, where suitable 
parameters have to be inserted 


o example: Java Prepared Statement 
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JAVA PREPARED STATEMENTS 


© see Sun tutorial on JDBC ( 


http://Jjava.sun.com/docs/books/tutorial/jdbc/basics/ 
index.html) 

o technique based on Java class PreparedStatement 

e initially proposed for improving the speed of 
frequently executed queries 

o when PreparedStatement is instantiated, an SQL 
query is built (and compiled): 1t may contain the 
symbol '?' to denote possible parameters necessary 
to query 

© query structure is fixed 
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PRACTIC EXAMPLE 


// define query schema 


String selectStatement = "SELECT * FROM USer WHERE 
userid = ? ": 


// instantiate PreparedStatement object by means of 
purposed method of db connector (class Connection) 


PreparedStatement prepStmt = con.prepareStatement 
(selectStatement) ; 


// provide parameter thru setxxx 


prepStmt.setString(1, userId); // 1 -> first 
parameter 


// execute query 
ResultSet rs = prepStmt.executeQuery() ; 
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VULNERABILITIES IN PREPARED STATEMENTS 


o Java prepared statements, if not carefully packed, 
may be vulnerable to SQL injection 


o example 
String strUserName = 
request.getParameter("Txt_UserName’ ) ; 
PreparedStatement prepStmt = 
con.prepareStatement("SELECT * FROM user 
WHERE userId = '+strUSerName+'"); 


© a prepared statement is built, using a non- 
validated input parameter! 
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STORED PROCEDURES: WHAT AND WHY 


© compiled procedures (subroutines) made available 
at server side to build/support batches operating 
on DB 


© code is optimized, but DB server incurs higher 
processing costs 
e also improve code readability 


o they help to imit SQL injection attacks 


e but they are not exempt from vulnerabilities 
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USE OF STORED PROCEDURES 


o also known as proc, sproc, StoPro or SP, belong to 
data dictionary 

o typical uses 
e data validation 
e access control mechanisms 
e centralization of logic that was initially contained 

inside the applications 

Oo similar to the user-defined functions, but with 

different syntax 


e functions can appear everywhere in SQL strings, this 
is not true for stored procedure calls 
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DATA VALIDATION THRU SP 


A few controls (partial list) 
o format (e.g., digits or dates) 


o types (e.g., if text has been inserted when digits are 
expected) 


o range (check data that should belong to an admissible 
interval) 


mandatory data 
parity control 


consistence M/F, S/P 


cross-system consistence (data on several systems; 
e.g., name + surname vs. surname + name) 


O 
O 
o orthography and grammar 
O 
O 


o existence of referred files 
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